Since intercepting https is considered man in the middle attack and even illegal in some jurisdictions, not the US I hope, I am leery of proxying all the time and I want to take a hybrid approach.
Can I write a helper module for iptables that will allow me to evaluate the URL an https connection is targeting? I can maintain a whitelist of sites that are legitimate all the time and a blacklist of sites that are never legitimate, the goal being to not put a proxy in the middle unless the nature of the https site is unknown. I'm also having problems getting TPROXY in the mangle table to work correctly where the standard invocation won't support a nuanced approach. I only want to proxy for sites that are neither on the whitelist nor the blacklist. For sites on the blacklist, redirect to a local web server is best telling you the URL is blacklisted. Actually, e2guardian should take care of that if you are going through it... Is there a way to filter https with e2guardian and squid that is actually legal everywhere? The whole peek and splice approach is highly technical where you end up with a weird certificate in the connection which firefox complains about. Even if you say accept the risk, you rarely get to the site. Living in the midwest, it would be nice if an ISP existed that filters for you. Neither opendns nor squid plus e2guardian alone is enough. Configuring e2guardian is a bit confusing sadly :-( The whole point of e2guardian is processing meta tags for filtering purposes. I find it sad that 90% of porn is probably using the https protocol. Even pornhub apparently is advertising that they are going to use TOR now to ensure that people have "private" access. Forgot about the actors in porn that later decide they made a huge mistake and they are plastered all over the Internet. Linux does not have Covenant Eyes where I prefer to work in Linux over Windows or MacOS. Linux is cheaper, it's more powerful, and it works. I'm trying to build a low cost server that has the sole purpose of filtering. As such, a 500GB WD black hard drive and AMD Athlon II processor... I have 16-32 gigs of ram, but that is the most expensive part. In a small tower case I used a USB thumb drive to install debian Jessie. I probably should upgrade to Buster... So I'm thinking the hybrid approach has three cases: Case 1: Unknown https site that must be accessed through a filtered proxy. Case 2: Known bad site that shouldn't be accessed at all and user should be told this is the case, redirect with no proxying. Case 3: Known good site that must be allowed direct without a proxy in the middle (think credit union, etcetera.) I want the proxying to be transparent, but I have yet to get that working where the standard approach is wrong. Sometimes there should be no interception when the attempt is to a known good site or a local resource. Management of the blacklist should be through a local web site on the filtering server. I'm using opendns, don't know Spectrum's DNS servers. If only I could pre populate a local blacklist with site names that opendns blacklists. Am I correct in thinking that I want to evaluate packets in the PREROUTING chain of the mangle table for whether or not they are https packets to a known bad site, a known good site, or an unknown site? _______________________________________________ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
